Addressing threats to health care's core values, especially those stemming from concentration and abuse of power. Advocating for accountability, integrity, transparency, honesty and ethics in leadership and governance of health care.

Thursday, February 18, 2016

To the cybernetic idealists out there who think computers are the greatest thing next to sliced bread in the healthcare environment, I say, pray you are not on the operating table when something like this happens:

Who would have thought that, for healthcare professionals, performing
surgery, working long hours and navigating the dense world of U.S.
health law would be easier than protecting hospital computer networks?
That, however, appears to be the case after yet another hospital was
victimized in a cyberattack. It’s just the latest example of a U.S.
medical provider on the wrong end of a digital assault made possible by a
lack of security measures.

Doctors at Hollywood Presbyterian Medical Center, in southern
California, have been suffering serious computer issues for at least a
week, the CEO announced Sunday. Doctors have been unable to digitally
access patients’ medical records, staff has been communicating via fax
machines and patients have reported long delays in receiving care. It’s
all the result of a cyberattack carried out by unknown hackers who are
demanding 9,000 bitcoins (roughly $3.4 million) to restore the system to
normal.

Ransom for access to EHRs. The hospital's IT leadership should be held accountable for this invasion of the clinic by cybercriminals. It's not like the issue is unknown:

... “Hospitals are a veritable bullseye for hackers,” said Grayson
Milbourne, security intelligence director at the cybersecurity company
Webroot, which works with a number of hospitals and healthcare
companies. Milbourne added that the value of patient records is an
irresistible target for cybercriminals. “For starters, [hospitals] run
on a tight budget and their IT infrastructure is often a very low
priority when compared to affording new medical devices and staff.

... According to NBC,
the damage has caused the hospital to be unable to continue day-to-day
operations. To keep up activity at the medical center, the staff has
turned to manual documentation using pen and paper to take down patient
information and jammed fax lines and telephones to communicate from one
department to another. The administration has forbidden the use of other
computers for fear that the harmful software could spread to more
workstations. Allen Stefanek, President and CEO of the hospital,
says that "significant IT issues" began to emerge last week, leading to a
declaration of "internal emergency." He also mentions that the attack
was random, not malicious, noting that the emergency rooms have been
"sporadically impacted since Friday."

The realities of IT in 2016, when hospitals are increasingly dependent on IT command-and-control systems through which every transaction of care must pass, lead to the conclusion that "IT infrastructure is often a very low
priority" reflects negligence.

Back to the IBT article. The CEO at this hospital proffers the usual BS:

Hollywood Presbyterian’s CEO [Allen Stefanek] told NBC, “Patient privacy has not been compromised." ...The intrusion has been described as a ransomware attack, which is
typically defined as an attack that involves a hacker infiltrating a
victim’s computer, and encrypting their data until the victim agrees to
pay a bitcoin ransom.The hospital denies any patient data has been
compromised.

Right. Hackers take control of information systems, but patient data has neither been altered, nor its privacy impaired.

From the second article:

... the patients are not safe from harm. Stefanek insists
that the incident has no impact on the overall care for the patients,
but some have spoken out to say otherwise. Jackie Mendez and her
87-year-old mother say that they have to drive to Palmdale to pick up
medical tests, which takes them over one hour to do so. "It's bad. She's an older person. It's not right she has to do this," she says. Another
patient named Belmont West is also affected by the incident. Belmont
says he went to the hospital to get his grandmother's medical test
results to no avail.

and there's this:

... some patients had to be transferred to other hospitals, as some of
the medical equipment that need computers at the Hollywood Presbyterian
Medical Center were rendered inoperable, including apparatuses for
X-ray and CT scans, documentation and pharmacy and lab work.

The urgency [for hospitals to meet standards of care for IT security -ed.] is growing. One in three Americans had their health records breached in 2015, according to multiple reports
released last month. Many of those records were breached as part of the
nation-state hacks on health insurers Anthem and Primera, though
experts predict hospitals will become more attractive targets as they
begin to rely on insulin pumps, intravenous flows and other machines
that are connected to the Internet.

I note that if hospitals cannot afford the required diligence, they need to get out of the IT business. Paper cannot be hacked or held for ransom en masse.

LOS ANGELES (AP) — A Los Angeles hospital paid a ransom of about
$17,000 to hackers who infiltrated and disabled its computer network
because paying was in the best interest of the hospital and the most
efficient way to solve the problem, the medical center's chief executive
said Wednesday. Hollywood Presbyterian Medical Center paid the demanded ransom of 40
bitcoins — currently worth $16,664 dollars — after the network
infiltration that began Feb. 5, CEO Allen Stefanek said in a statement. ... "The quickest and most efficient way to restore our systems and
administrative functions was to pay the ransom and obtain the decryption
key," Stefanek said. "In the best interest of restoring normal
operations, we did this."

They got off cheap for their negligence, relative to the initial demands.

Questions remain, however:

Was any patient data altered or corrupted, either deliberately or as a result of the hack?

Was any patient data copied or stolen?

Was any malicious code left behind by the hackers on any computer on the network, e.g., "back doors" or other malware that could cause future problems? Put another way, after paying the ransom, does the hospital believe it is dealing with 'honorable criminals'?

One might presume the hospital, in an abundance of caution, is now paying after-the-fact for the expertise required to fully assure the integrity of its networks, computers and EHR and other business systems, but is this truly the case?

Were any patients harmed as a result of the disruptions to information flows, and of so, are the IT leaders in part liable?

Will any patients suffer harm moving forward as a result of lost computer information during the episode, incomplete backloads of data on the paper that was resorted to during the crisis, or other factors? Medical errors due to lost data can propagate forward in time, as I can attest to both personally and professionally.

It is my belief that, until and unless hospital leadership is held fully accountable for incidents such as this, such incidents will be one of many more moving forward.

Incidents like this are made more tragic by the increasing evidence that the benefits from healthcare cybernetics are not exactly what the zealots, pundits and industry opportunists advertised.

1 comment:

This is a bad sign that there is lacking in security on medical records of patients here. Those records are private and hackers can use them for their own bad interest. We all know when we turn back in manual documentation, the services will slow down and many patients are waiting for their turn. They should be ready with hardware data just in-case this could happen, sadly it's happening.

Contact Us

Email: info at firmfound dot org
or go to the web-site for FIRM - the Foundation for Integrity and Responsibility in Medicine

More About FIRM and Health Care Renewal

FIRM - the Foundation for Integrity and Responsibility in Medicine is a 501(c)3 that researches problems with leadership and governance in health care that threaten core values, and disseminates our findings to physicians, health care researchers and policy-makers, and the public at large. FIRM advocates representative, transparent, accountable and ethical health care governance, and hopes to empower health care professionals and patients to promote better health care leadership.

FIRM depends on contributions from individuals and non-profit organizations. FIRM does not accept any direct support from for-profit health care corporations.

FIRM welcomes support from individuals and non-profit organizations. If you are interested in donating to FIRM, please email info at firmfound dot org, snail mail us at 16 Cutler St, Suite 104, Warren, RI, 02885, USA, or see our web-site.

Subscribe To Health Care Renewal

Policies: Blog Roll and Comments

Our blogroll is meant to include blogs that provide interesting content relevant to what we write. It is not an endorsement in any way of any specific blog.

We accept comments, especially from registered Blogger users. If you do not wish to register with Blogger, we will accept anonymous comments, although prefer that they contain identification of the commenter.

We encourage thoughtful comments relevant to the issues brought up by the posts on Health Care Renewal.

All comments are moderated. We will reject spam, profanity, advertising of products or services not directly related to the content of this blog.

We will reject any unsubstantiated accusations or allegations.

Nonetheless, all comments represent only the opinions of those making them. The appearance of comments does not imply endorsement by the Health Care Renewal bloggers.

Please email general comments about the blog, other concerns, or questions to info AT firmfound DOT org